I installed ZFCUser successfully. Now I wonder if there is a way to globally check for authentication.
As outlined in the wiki there are several ways to check for auth. They all work but do I have to put the check-if-clause really in every single action? All my sites should be only accessable when beeing logged in and if not, you should be rerouted to the login page.
Does anybody know if there's a central place where I can put this logic?
The problem has been solved thanks to @samsonasik comment to another question.
public function checkAuth(MvcEvent $e){
# ... get auth service
if (!$auth->hasIdentity()) {
$e->getRouteMatch()
->setParam('controller', 'zfcuser')
->setParam('action', 'login');
}
return;
}
So I have changed route without external redirection.
If you insist on checking authentication in the onBoostrap method you could do something like this:
class Module
{
protected $whitelist = array(
'zfcuser/login' => array('login'),
'your-landing-route' => array('your-landing-action'),
);
public function onBootstrap($e)
{
$app = $e->getApplication();
$em = $app->getEventManager();
$sm = $app->getServiceManager();
$list = $this->whitelist;
$auth = $sm->get('zfcuser_auth_service');
$em->attach(MvcEvent::EVENT_ROUTE, function($e) use ($list, $auth) {
$match = $e->getRouteMatch();
// No route match, this is a 404
if (!$match instanceof RouteMatch) {
return;
}
// Route and action is whitelisted
$routeName = $match->getMatchedRouteName();
$action = $match->getParam("action");
if(array_key_exists($routeName,$list) && in_array($action,$list[$routeName])) {
return;
}
// User is authenticated
if ($auth->hasIdentity()) {
return;
}
// Redirect to the user login page, as an example
$router = $e->getRouter();
$url = $router->assemble(array(), array(
'name' => 'zfcuser/login'
));
$response = $e->getResponse();
$response->getHeaders()->addHeaderLine('Location', $url);
$response->setStatusCode(302);
return $response;
}, -100);
}
}
I've just changed the code a little but so your white list also contains specific actions. Then we can check the action parameter to be a little bit more specific with your white listing.
I don't know if this is the best way to do it, I'm just showing you how you can do it.
I don't think you even need to check authentication when using BjyAuthorize as you can just use resource checks. If a user has anything other than a guest role then they are a real user and are authenticated. Again, I'm not 100% on that but I do know that I don't use ZfcUser authentication checks in my application which uses BjyAuthorize. I just use route guards to specify the role level needed for a aparticular route.
Maybe somebody else could clarify this?
Insert [/] to fix it. try:
'route' => '/admin[/:controller[/:action]][/]',
You can handle the exceptions in anyway you want after catching it as the following example in which you are catching the exception globally...:
In the onBootstrap method in your Module.php you can attach a function to execute when an event occurs, the following attach a function to be executed when an error (exception) is raised:
public function onBootstrap(MvcEvent $e)
{
$application = $e->getApplication();
$em = $application->getEventManager();
//handle the dispatch error (exception)
$em->attach(ZendMvcMvcEvent::EVENT_DISPATCH_ERROR, array($this, 'handleError'));
//handle the view render error (exception)
$em->attach(ZendMvcMvcEvent::EVENT_RENDER_ERROR, array($this, 'handleError'));
}
and then define the function to handle the error in any way you want, the following is an example:
public function handleError(MvcEvent $e)
{
//get the exception
$exception = $e->getParam('exception');
//...handle the exception... maybe log it and redirect to another page,
//or send an email that an exception occurred...
}
To be honest, I don't think it is a good idea to block every page for a non-authenticated user. How would you access the login page?
That said, you must know the page being accessed, to make a whitelist of pages accessible for anonymous visitors. To start, I'd suggest to include the login page. You can check pages the easiest by using their route. So check the current matched route against the whitelist. If blocked, act upon. Otherwise, do nothing.
An example would be inside a Module.php from a module, for example your application: